The non-stop news of security breaches in recent years underscores a growing realization that organizations need to fundamentally rethink the way they protect their applications and data.
This post was originally published on infosecurity.com
The non-stop news of security breaches in recent years underscores a growing realization that organizations need to fundamentally rethink the way they protect their applications and data. Most of the damage has come from a new generation of attacks that target application programming interfaces (APIs), which have resulted in breaches at Facebook, T-Mobile, Panera Bread and Verizon, among others, while the United States Postal Service (USPS) and Google have also disclosed major API vulnerabilities.
It’s particularly worrisome that many of these breaches remain undetected for months or even years, despite the fact that targeted companies have deployed sophisticated security practices that are supposed to keep them safe.
The problem is that many organizations continue to rely on security approaches designed to protect environments that were fundamentally different from those in use today. From a security perspective, modern SaaS, web, mobile, micro-services and IoT applications function like large office buildings that have employees, customers and service workers coming in and out, with a range of assets, access, and security levels for different areas.
Meanwhile, most organizations continue to take an approach that worked to protect a house, in which a perimeter alarm and a strong lock are deemed sufficient to keep assets safe.
Like houses, the environments that had to be protected for traditional applications and data were relatively simple compared to modern applications. Security solutions of the day worked to keep hackers on the outside while providing broad and largely unmonitored access for authorized users. Their main components of defense: typical web application firewalls (WAFs), focused on perimeter protection and guarding against known or predictable attacks – and that was enough to turn most hackers away in search of undefended targets.
However, the way that modern applications are built and delivered has evolved in recent years so that they function more like large office buildings. APIs have proliferated across application environments to allow access to a much broader range of users, just as office buildings admit a wide range of people from employees to customers to contractors.
At the same time, the quantity and sensitivity levels of the data that applications expose and transmit have increased. Laptops with web browsers and mobile devices with applications are capable of performing increasingly complex tasks, so processes once handled on the server side (behind a firewall) have become more complex and shifted to the client side. This means providing secure access to data with varying levels of sensitivity and access level requirements, just like different areas of an office building have to be protected in different ways depending on what’s inside.
Attackers have learned how to take advantage of the complexity and uniqueness of today’s application structures. This generation of attacks can’t be identified by a signature because vulnerabilities are unique to each organization and each application. Developer expertise is focused on functionality, not security, and developers just don’t think in the devious ways that attackers do.
It’s unreasonable to expect sound development practices to nullify sophisticated threats. To protect modern environments that look more like office buildings than homes, enterprises need to adopt a proactive “monitor and respond” approach rather than focusing solely on secure perimeters and access controls.
The APIs at the core of today’s applications are as complex and unique as the environments to which they connect, and attackers take advantage of this by looking for vulnerabilities in the unique logic of each API. An effective security approach for modern web applications needs to have a clear understanding of the different users coming in and out and how those users should normally behave, as well as where and how sensitive data is stored.
More specifically, this means understanding the unique logic of each API at a granular level to identify potentially malicious behavior and stop attacks.
Unfortunately, traditional security measures cannot understand the unique logic of different APIs at a granular level and therefore cannot distinguish between normal usage and what is malicious behavior for each unique API. Companies have tried to address potential vulnerabilities by testing or white hat hacking each API, but this is a lengthy trial-and-error process that often leaves gaps and can’t keep pace with the speed and complexity of today’s development cycles, let alone the evolution of attackers.
The only way to prevent an attacker from exploiting unique API vulnerabilities is to monitor API usage in the same way that office security teams keep track of people moving around a building. Within the application, security must recognize the user initiating an action through an API, the target of that action and whether that action is appropriate for the user, the API and the application.
This approach can identify even the most subtle, advanced threats that are attempting to exploit unique features of an API or application to stage an attack or steal data.
This new approach works in the same way that various alerts and monitoring systems protect the variety of assets in different parts of a large office while allowing employees, contractors, visitors and others to conduct business freely. The structure of web applications has evolved from the relative simplicity of a house to the sprawling complexity of an office building – our security approach needs to evolve too.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.